网络安全公司 Apiiro 表示,GitHub 在过去几个月中一直遭受着所谓的依赖混淆 (Dependency Confusion) 攻击,大量恶意代码仓库涌入其中。网络犯罪分子会克隆现有的代码仓库,添加恶意软件加载器,并将其上传到 GitHub,使用与合法版本完全相同的名称。通过自动化过程,代码仓库会被分叉成成千上万个副本,出现大量与原始项目名称完全相同的分支,犯罪分子希望借此欺骗开发人员下载这种恶意版本,以借此传播其恶意软件,最终窃取用户的密码或加密货币。
这种攻击从去年 5 月开始,尽管攻击策略在此期间有所变化。去年 5 月,恶意软件包被上传到 PyPI,并通过对流行 GitHub 代码仓库分叉的调用来传播。PyPI 随后删除了这些软件包,于是犯罪分子开始直接向 GitHub 上传恶意代码仓库。自去年 11 月以来,已经复制了至少 10 万个代码仓库,但研究人员估计可能达到数百万个。
一部分分叉仓库会很快被删除。GitHub 可以识别出自动化分叉的情况,并将其下线。然而,Apiiro 发现仍有许多代码仓库被忽略。此外,部分仓库是手动创建的,因此不会被注意到。由于攻击规模庞大且攻击链是自动化的,研究人员表示,“即使只有 1% 的恶意代码仓库逃过了检测,这仍然意味着数千个恶意代码仓库”。
GitHub 没有否认 Apiiro 的估计,但拒绝回答美国媒体 Ars Technica 的进一步问题。该平台在一份声明中表示,他们致力于为开发人员提供安全平台,并设有专门的团队来检测、分析和删除违反条款的内容。这既通过手动检查,也通过机器学习实现。“我们鼓励社区成员和客户举报滥用和垃圾信息。”
Security firm Apiiro has revealed that GitHub has been experiencing a significant influx of malicious code repositories over the past few months due to a type of attack known as Dependency Confusion. In this attack, cybercriminals clone existing code repositories, add malicious software loaders, and upload them to GitHub using the exact same names as legitimate versions. Through an automated process, the code repositories are forked thousands of times, resulting in numerous branches with names identical to the original projects. The criminals hope to deceive developers into inadvertently downloading these malicious versions, thereby spreading their malware and ultimately stealing user passwords or cryptocurrencies.
This attack has been ongoing since May of last year, although the attack tactics have evolved over time. In May of last year, malicious packages were uploaded to PyPI (Python Package Index) and spread through calls made within forks of popular GitHub repositories. After PyPI removed these packages, the criminals began uploading malicious code repositories directly to GitHub. Since November, at least 100,000 repositories have been replicated, but researchers estimate that the number could potentially reach millions.
Some of the forked repositories are quickly deleted. GitHub has the ability to identify automated forks and take them offline. However, Apiiro has discovered that many repositories are still being overlooked. Additionally, some repositories are manually created, making them less noticeable. Due to the scale of the attack and its automated nature, the researchers state that “even if only 1% of the malicious code repositories evade detection, it still translates to thousands of malicious repositories.”
GitHub has not disputed Apiiro’s assessment, but it has declined to answer further questions from the American media outlet Ars Technica. In a statement, GitHub expressed its commitment to providing a secure platform for developers and mentioned the dedicated teams responsible for detecting, analyzing, and removing content that violates their terms of service. This is accomplished through both manual checks and machine learning. They also encourage community members and customers to report abuse and spam.
微信扫一扫